How to set up Single Sign-On (SSO)

This article walks through what your IT team needs to supply and do to connect your identity provider to Indivd via SSO. Once complete, your users can log in to Indivd using your organisation's existing credentials.

Included in: ✓ Indivd Pro    ✓ Indivd Complete

Related articles

• Single Sign-On (SSO) for Indivd

This article contains the following topics:

• Before you start
• What Indivd needs from your IT team
• Redirect URIs to register
• What you receive from Indivd
• Testing the connection

Before you start

SSO setup requires coordination between your IT team and Indivd. Your identity provider must support OpenID Connect (OIDC). Before starting, confirm that the person leading this on your side has admin access to your identity provider configuration.

Note: SSO is configured per organisation. Contact your Indivd account contact to initiate the process and confirm your environment is ready.

What Indivd needs from your IT team

To configure SSO for your organisation:

1. Confirm that your identity provider supports OpenID Connect.
2. Share your OpenID Connect configuration endpoint URL (the .well-known/openid-configuration URL) with your Indivd contact.

3. Share the following values from your identity provider:

   Field	Description
   Application (client) ID	The client ID Indivd will use to identify itself to your IdP
   Client secret	Share securely, for example via an encrypted message or password manager. Do not send via plain email.
   Scope	Typically openid
   Authorization URL	The OAuth 2.0 authorisation endpoint
   Token URL	The OAuth 2.0 token endpoint
   JWKS URL	The endpoint exposing your public signing keys

4. Register the Indivd redirect URIs in your identity provider (see the next section).

Note: The client secret must be shared directly with the Indivd developer handling the integration, not placed in a shared document or email thread. Your IT contact and the Indivd developer should agree on a secure transfer method before proceeding.

Redirect URIs to register

To allow Indivd to complete the authentication flow, register the following redirect URIs in your identity provider:

1. Open your identity provider's application settings for the Indivd client.
2. Add the following values to the list of allowed redirect URIs:
   • https://ssoapi.indivd.com/auth/sso/callback/ — production environment
   • http://localhost:8000/auth/sso/callback/ — local development (required for Indivd developers during testing)
3. Save the changes in your identity provider.
4. Notify your Indivd contact that the redirects have been registered.

Note: Both URIs are required. The production URI is needed for live users. The localhost URI is only used by Indivd developers when verifying the integration locally and does not affect end users.

What you receive from Indivd

Once the integration is configured on the Indivd side, you will receive confirmation that the connection has been tested against your environment. Indivd will confirm that the setup matches your identity provider configuration before any users are migrated to SSO login.

Testing the connection

To verify the SSO integration is working:

1. Confirm with your Indivd contact that the backend configuration is complete on the Indivd side.
2. Attempt to log in to Indivd using your organisation's SSO credentials.
3. If the login succeeds and you are redirected correctly, the integration is working.
4. If you encounter errors, share the error message or description with your Indivd contact for troubleshooting.

Note: If your team needs to access an access token for application-level access, request the client ID scope from your identity provider admin. Contact your Indivd account contact if you are unsure whether this applies to your setup.